@War: The Rise of the Military-Internet Complex (30 page)

In March of that year at least twenty natural gas pipeline companies in the United States alerted the Homeland Security Department to suspicious e-mails sent to their employees.
They appeared to come from someone the employees knew or were likely to know because of their jobs—standard spear phishing. Some of the employees—it's still unclear how many—opened the messages and released spyware onto the corporate networks of the pipeline operators. The hackers didn't have access to the control systems of the pipelines themselves, but they were potentially within striking distance. If the pipeline operator had air-gapped the facility's control systems from the public Internet, they were probably safe. Of course, there was always the risk that an unsuspecting employee could carry the malware over the air gap via a USB drive.

Officials at the highest levels of the FBI, Homeland Security, and the NSA were on alert. An intruder who could control the pipeline could conceivably disrupt the flow of natural gas, or perhaps cause internal controls to malfunction, leading to a breakdown or even an explosion. Approximately 200,000 miles of natural gas pipelines crisscross the United States, and natural gas accounts for nearly a third of the nation's energy supply. There'd never been a confirmed cyber attack that destroyed a pipeline. But at the height of the Cold War, the CIA allegedly installed malicious software in equipment used on a Siberian pipeline that exploded in 1982.
In theory, it was possible to remotely change the pressure inside the pipeline, a form of attack similar to the one the NSA used on the Iranian nuclear facility.

Once the natural gas companies informed the government that they were being probed, officials sent “fly away” teams to the facilities and gathered information from computer hard drives and network logs. The source of the e-mails was traced to a single campaign that analysts said started as early as December 2011. The alerts from companies about spies on their networks were “never-ending,” says a former law enforcement official who worked on the case.
But the true intent of the campaign still eluded analysts. Were the intruders trying to gather competitive information about the pipeline companies, such as where they planned to look next for gas or where they'd build their next facility? Or were they trying to disrupt energy flows, or plant malware that could be triggered at some later date to destroy the pipeline?

In order to find out, government investigators decided not to issue a public warning and instead to watch the intruders and see what information they went after. It was a risky move. At any moment the intruders might have launched an aggressive attack on the corporate networks, stealing or erasing valuable information. And there was still the chance, however slim, of an attack on the pipelines themselves, which would have disastrous economic consequences and could kill anyone near an explosion. The authorities met with individual companies and held classified briefings about what they knew so far. They shared “mitigation strategies” with corporate security personnel, including the known e-mail addresses that had sent the spear phishes and certain IP addresses to which the pipeline operators could block outbound access.
But the government didn't purge the networks of the spies, nor did it instruct the companies to do so. On March 29 an emergency response team stationed at the Homeland Security Department that works in tandem with the NSA posted an alert to all pipeline companies on a classified government website instructing them to allow the spies to keep rooting around as long as they didn't appear to threaten the operations of the pipelines themselves. In Washington, government officials alerted the trade associations representing oil and gas companies and told them to keep the operation under wraps.

The response to the pipeline intrusions marked a new, heightened level of government influence over cyber defense in the energy sector. The natural gas companies and their lobbyists in Washington followed the government's lead and instructions. Throughout most of the investigation, the government successfully enforced a press and public information blackout among the energy companies. A significant campaign against a vital US infrastructure had been under way for weeks, and barely anyone knew. News reports about the breach first appeared in May, two months after the government surveillance operation began.

The government pushed into other energy sectors as well. That summer, Homeland Security and the Energy Department sponsored a classified cyber threat briefing for the CEOs of electric utilities, offering them the temporary security clearances so they could learn more about threats against their sector.
Energy companies were less cognizant of the dangers to their networks than companies in other sectors, particularly financial services, where companies shared information routinely and had set up systems for sharing details about intrusions and hacking trends in a classified setting. The energy companies, by contrast, feared looking weak to their competitors and possibly giving them insights about future strategy if they opened up about their inadequate cyber security.

But government officials had grown impatient. In Congress, advocates of a new law to regulate cyber security standards for utility companies continued to press their case, pointing to the rash of intrusions against natural gas pipelines to bolster their argument. Their efforts would ultimately fail that autumn, paving the way for Obama to implement as many defenses as he could through an executive order. Companies would be encouraged to adopt security standards and practices developed by the National Institute of Standards and Technology, which consulted with a broad range of industry experts and the intelligence agencies. Companies were free to ignore the government's advice. But if their infrastructure were damaged by a preventable cyber attack, they might be held civilly or even criminally liable and then have to explain to a judge why they chose to strike out on their own.

In the wake of the 2012 intrusions into gas pipeline companies, the government has held classified briefings for nearly seven hundred utility company personnel. Homeland Security, the FBI, the Energy Department, and the Transportation Security Administration launched what officials called an “action campaign” to give companies “further context of the threat and to highlight mitigation strategies,” according to a Homeland Security bulletin.
The campaign began in June 2013 and has featured classified meetings in at least ten American cities, including Washington, New York, Chicago, Dallas, Denver, San Francisco, San Diego, Seattle, Boston, and New Orleans, as well as “numerous others via secure video teleconferences.” Energy companies have also begun to train their employees in the basics of cyber defense. Shell, Schlumberger, and other major companies have sent their employees fake spear-phishing e-mails with pictures of cute cats and other enticements.
Experts who've trained the companies say that nearly all employees initially fall for the e-mails, but after training, as many as 90 percent learn to avoid clicking on embedded links and attachments, which are the usual triggers to unleash malware.

Inside the NSA, officials have continued to press for greater authority to expand their defense writ. In a rare public appearance in Washington in May 2013, Charles Berlin, director of the NSA's National Security Operations Center, reflected a widely held view among America's spies that it would be “almost immoral” for the agency to focus solely on protecting government computer networks and information.
“The mission of the Department of Defense . . . [is] to protect America,” said Berlin, who ran the agency's nerve center for signals intelligence and defense of computer networks. “I've been on the ramparts pouring boiling oil on the attackers for years,” he said. “At the present time, we're unable to defend America.”

 

Throughout the anxious spring of 2012, there was little doubt among law enforcement, intelligence, and private security officials where the attackers were coming from. But the question remained: what was their goal?

The former law enforcement official who worked the case says the hackers were based in China and that their campaign was part of a broader Chinese strategy of mapping critical infrastructure in the United States. Whether their precise purpose was espionage or laying the grounds for cyber warfare remains unclear. But the two activities are connected along a spectrum: in order to attack a facility, the intruder needs to map it out and understand its weak spots. And there are warning signs that the Chinese are looking for such vulnerabilities. A few months after the intrusions into the natural gas pipelines were revealed, the Canadian technology company Telvent, which makes industrial control or SCADA systems used in Canada and the United States, said its networks had been infiltrated by hackers the company believes were in China.

But cyber warfare with the United States isn't in China's long-term interest. Economic competition is, however. The country has a pressing need to learn more about where US companies have found sources of energy, and how they plan to extract it. In part, that's to support China's ambitions in the energy sphere. But the country also needs to fuel a rapidly expanding economy, which, though it has slowed in recent years, still saw GDP growth of 7.8 percent from 2009 to 2013.

China is seeking to replace its traditional sources of fossil fuels. The country depends mostly on coal for its energy, and the toxic air quality in many Chinese cities shows it. China is the world's second-largest consumer of coal and accounts for nearly half of all coal consumption.
Oil production in China has peaked, forcing the country to look more for deposits offshore and to turn toward cleaner and more abundant sources of fuel.

To secure China's future sources of energy, state-run companies have been looking to extract natural gas, which so far accounts for a tiny fraction of the country's energy consumption—just 4 percent in 2009. But to get that gas, the Chinese need fracking technology and insights into horizontal drilling techniques, which American companies pioneered and have continued to develop. A report in 2013 by the security research firm Critical Intelligence concluded that “Chinese adversaries” have infiltrated the networks of US energy companies in order to steal information about fracking and gas extraction. They noted that Chinese hackers had also targeted companies that make petrochemicals, such as plastics, for which natural gas is a precursor ingredient. The intrusions into the gas pipeline companies in 2011 and 2012 may have been related to this campaign, the research company determined.

Not that China is giving up on its traditional sources of energy. In 2009, American oil companies were hit by a wave of cyber intrusions that stole information on oil deposits the companies had discovered around the world, according to the security firm McAfee. China is the world's second-largest consumer of oil, behind the United States, and since 2009 the second-largest net importer of oil. At least one US energy company that planned to drill in disputed waters that China claims as its territory was infiltrated by Chinese hackers.

China is competing for natural resources at the same time that it tries to build a national energy industry. To that end, Chinese targeting of US energy companies and facilities is rampant. In 2012 the Homeland Security Department publicly reported 198 “attacks” against critical infrastructure, a 52 percent increase from the previous year. Forty percent of the attacks specifically targeted energy companies. If the United States ever went to war with China, its military would undoubtedly attempt to use footholds inside those companies' computer networks to damage or disable vital infrastructures. But for the foreseeable future, China has little interest in wounding the US economy or turning out the lights. China is one of the United States' biggest foreign lenders and its most important trading partner. It has a direct interest in America's overall economic health and the purchasing power of US consumers. And the country has pursued legitimate paths toward finding sources of energy in the United States and learning about American technology, placing more than $17 billion in oil and natural gas deals in the United States and Canada since 2010.

China is playing a double game—investing in American companies at the same time that it steals knowledge from them. It's an unsustainable path. If Chinese theft of American intellectual property makes those companies less competitive in the global market, the US economy could suffer, and so would China. US intelligence officials have concluded that short of intense diplomatic pressure or economic sanctions, the Chinese are unlikely to halt their cyber campaign. So, the government has become more aggressive in its attempts to protect critical infrastructure. That's what helped drive the decision to defend and monitor the natural gas pipelines in 2012. The only comfort for US national security is that, so far, the Chinese have shown no indication that they want to escalate their campaign from espionage to warfare.

But that's not the case for another US adversary.

 

Beginning in September 2012, banks across the United States found themselves in the cross hairs of what appeared to be a relatively common form of cyber attack. It wasn't the banks' money the hackers were after but their websites, which allow customers to log in to their accounts, check balances, pay bills, and transfer money. The attackers flooded the banks' web servers with traffic sent from other computers that were under their control, overwhelming them and causing the sites to crash. Dozens of bank sites were hit, causing significant disruptions in business for Bank of America, Wells Fargo, Capital One, Citigroup, HSBC, and other marquee and lesser-known institutions.

Banks, like many companies that conduct business on the web, had faced these so-called denial-of-service attacks before. Most security experts saw them as a nuisance, not an existential threat to the company, and usually an affected website was back up and running within a few hours. But this attack was unprecedented in its scale and sophistication. The attackers created huge networks of computers from which to launch their assault, which sent a staggering amount of traffic the banks' way. By one estimate, the flow was several times larger than what Russia had directed at computers in Estonia in 2007, an attack that ground the country's electronic infrastructure to a halt and was generally regarded as among the most devastating on record.
The banks' Internet service providers reported more traffic than they'd ever seen directed at a single website.
The attackers appeared to have hijacked whole data centers, or clouds, of thousands of computer servers. It was as if rather than launching a few ships against their targets, they had sent an armada.